CVE-2025-10353
Unknown
Unknown - Not Provided
BaseFortify
Publication date: 2025-10-08
Last updated on: 2025-12-11
Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)
Description
Description
File upload leading to remote code execution (RCE) in the “melis-cms-slider” module of Melis Technology's Melis Platform. This vulnerability allows an attacker to upload a malicious file via a POST request to '/melis/MelisCmsSlider/MelisCmsSliderDetails/saveDetailsForm' using the 'mcsdetail_img' parameter.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| melis_technology | melis_core | * |
| melis_technology | melis_cms | * |
| melis_technology | melis_cms_slider | * |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-43 | The product accepts path input in the form of multiple trailing dot ('filedir....') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. |
